Network Port Diagram vSphere

19 november 2020 VMware

I was troubleshooting an issue with an ESXi host and Update Manager for which I needed the firewall ports. In KB2131180 you can find a PDF document with a beautiful diagram and reference table. But getting all the required ports between a specific source and destination was not easy. So I created this table that is searchable…

Search for “ESXi” to get all the ports for ESXi. Combine this with “vCenter” (“ESXi vCenter”) to narrow your search. I know it’s not perfect but better than a static PDF I think.

No.PortProtocolSourceTargetPurpose
122TCPClient PCESXiSSH Server
253UDPESXiDNS ServerDNS Client
368UDPESXiDHCP ServerDHCP Client
480TCPClient PCESXiRedirect Web Browser to HTTPS Service (443)
588TCPESXiActive Directory ServerPAM Active Directory Authentication - Kerberos
6111TCPESXiNFS ServerNFS Client \\u2013 RPC Portmapper
7111UDPESXiNFS ServerNFS Client \\u2013 RPC Portmapper
8123UDPESXiNTP Time ServerNTP Client
9161UDPSNMP ServerESXiSNMP Polling. Not used in ESXi 3.x
10162UDPESXiSNMP CollectorSNMP Trap Send
11389TCP\UDPESXiLDAP ServerPAM Active Directory Authentication - Kerberos
12427UDPvSphere ClientESXiCIM Service Location Protocol (SLP)
13443TCPvSphere ClientESXivSphere Client to ESXi\/ESX Host management connection
14443TCPESXiESXiHost to host VM migration and provisioning
15445UDPESXiMS Directory Services ServerPAM Active Directory Authentication
16445TCPESXiMS Directory Services ServerPAM Active Directory Authentication
17445TCPESXiSMB ServerSMB Server
18464TCPESXiActive Directory ServerPAM Active Directory Authentication - Kerberos
19514UDP\TCPESXiSyslog ServerRemote syslog logging
20902TCP\UDPESXiESXiHost access to other hosts for migration and provisioning
21902TCPvSphere ClientESXivSphere Client access to virtual machine consoles (MKS)
22902TCP\UDPESXivCenter Server(UDP) Status update (heartbeat) connection from ESXi to vCenter Server
231024 (dynamic)TCP\UDPESXiActive Directory ServerBi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). See Active Directory and Active Directory Domain Services Port Requirements and MS article 179442.
242049TCPESXiNFS ServerTransactions from NFS storage devices
252049UDPESXiNFS ServerTransactions from NFS storage devices
263260TCPESXiiSCSI storage serverTransactions to iSCSI storage devices
275900 to 5964TCPESXiESXiRFB protocol which is used by management tools such as VNC
285989TCPCIM ServerESXiCIM transactions over HTTP
295989TCPvCenter ServerESXiCIM XML transactions over HTTPS
305989TCPESXivCenter ServerCIM XML transactions over HTTPS
318000TCPESXi (VM Target)ESXi (VM Source)Requests from vMotion
328000TCPESXi (VM Source)ESXi (VM Target)Requests from vMotion
338100TCP\UDPESXiESXiTraffic between hosts for vSphere Fault Tolerance (FT)
348182TCP\UDPESXiESXiTraffic between hosts for vSphere High Availability (vSphere HA)
35820083TCP\/UDPESXiESXiTraffic between hosts for vSphere Fault Tolerance (FT)
368301UDPESXiESXiDVS Port Information
378302UDPESXiESXiDVS Port Information
3831100TCPvCenter ServerSPS ServerInternal Communication Port
3931000TCPSPS ServervCenter ServerInternal Communication Port
406500UDPESXivCenter ServerNetwork coredump server
418000TCPESXivCenter ServerNetwork coredump web port
428001TCPESXivCenter ServerNetwork syslog server
4325TCPvCenter ServerSMTP ServerEmail notifications
4453UDPvCenter ServerDNS ServerDNS lookups
4580TCPClient PCvCenter ServervCenter Server requires port 80 for direct HTTP connections.
4680TCPvCenter ServerESXiDPM with IPMI (iLO\/BMC) ASF Remote Management and Control Protocol
4788UDPvCenter ServerActive Directory ServerAD Authentication
4888TCPvCenter ServerActive Directory ServerAD Authentication
49135TCPvCenter ServervCenter ServerLinked Mode
509084TCPvSphere ClientUpdate ManagerDownload of VUM client binary from VUM server machine to the VI client machine.
51162UDPvCenter ServerSNMP ServerSNMP Trap Send
52389TCP\UDPvCenter ServerLinked vCenter ServersThis is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389 even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port you can run the LDAP service on any port from 1025 through 65535.
53443TCPvSphere ClientvCenter ServervCenter Server system uses to listen for connections from the vSphere Client.
54443TCPvCenter ServerESXivCenter Agent. Host DPM with HP iLO Remote Management and Control Protocol
55623UDPvCenter ServerESXiDPM with IPMI (iLO\/BMC) ASF Remote Management and Control Protocol
56636TCPvCenter ServervCenter ServervCenter Server Linked Mode this is the SSL port of the local instance.
57902TCPvCenter ServerESXivCenter Server system uses to send data to managed hosts. This port must not be blocked by firewalls between the server and the hosts or between hosts.
58902UDPvCenter ServerESXiManaged hosts send a regular heartbeat to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
59902TCP\UDPvSphere ClientESXivSphere Client uses this ports to display virtual machine consoles.
60902TCP\UDPESXiESXiHost access to other hosts for migration and provisioning
615480TCPClient PCvCenter ServerOnly applicable for vCenter Server Virtual Appliance - used for accessing VAMI page of vCenter Server Appliance over HTTPS
621024 (dynamic)RPCLinked vCenter ServersLinked vCenter ServersBi-directional RPC communication on dynamic TCP ports is required between all vCenters that need to replicate (via ADAM). A VIC still needs a direct connection to all vCenters that own an object it needs to manage.
631433TCPvCenter ServerMicrosoft SQL ServerFor vCenter Microsoft SQL Server Database
641521TCPvCenter ServerOracle Database ServerFor vCenter Oracle Database
655988TCPESXivCenter ServerCIM transactions over HTTP
687500UDPvCenter ServervCenter ServerLinked Mode Java Discovery Port
698000TCPvCenter ServerESXiRequests from vMotion
708005TCPvCenter ServervCenter ServerInternal Communication Port
718006TCPvCenter ServervCenter ServerInternal Communication Port
728009TCPvCenter ServervCenter ServerAJP Port
738080TCPClient PCvCenter ServerWeb Services HTTP. Used for the VMware VirtualCenter Management Web Services.
748083TCPvCenter ServervCenter ServerInternal Service Diagnostics
758085TCPvCenter ServervCenter ServerInternal Service Diagnostics\/SDK
768086TCPvCenter ServervCenter ServerInternal Communication Port
778087TCPvCenter ServervCenter ServerInternal Service Diagnostics
788443TCPClient PCvCenter ServerWeb Services HTTPS. Used for the VMware VirtualCenter Management Web Services.
798443TCPvCenter ServervCenter ServerLinked Mode
809443TCPClient PCvCenter ServervSphere Web Client Access
8110109TCPvCenter ServervCenter ServervCenter Inventory Service Service Management
8210111TCPvCenter ServervCenter ServervCenter Inventory Service Linked Mode Communication
8310443TCPClient PCvCenter ServervCenter Inventory Service HTTPS
847476 (51915)TCPESXivSphere Authentication ProxyThis is a web service which is used to add host to Active Directory domain.
8560099TCPvCenter ServervCenter ServerWeb Service change service notification port
867005TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnBase shutdown port. For more information see Configuring VMware Tomcat Server Settings in vCenter Server 5.1.
877080TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnHTTP Port
887444TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnHTTPS Port
897009TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnAJP Port
9010111TCPvCenter Inventory ServicevCenter ServervCenter Inventory Service Linked Mode Communication
9125TCPVCO ServerSMTP ServerEmail notifications
92389TCP\/UDPVCO ServerLDAP ServerLDAP Authentication
93443TCPVCO ServervCenter ServerUsed to obtain virtual infrastructure and virtual machine information from orchestrated vCenter Server(s) through the vCenter API
94636TCPVCO ServerLDAP ServerVCO uses LDAP authentication and group membership to determine role authorization in LCM and access to VMs\/requests. This is the SSL secured LDAP protocol LDAPS (the SSL pendent of 389). This is used for secured LDAP authentication
951433TCPVCO ServerMicrosoft SQL ServervCenter Orchestrator Server to Microsoft SQL Server for VCO Database
961521TCPVCO ServerOracle Database ServervCenter Orchestrator Server to Oracle for VCO Database
973306TCPVCO ServerMySQL ServervCenter Orchestrator Server to MySQL Server for VCO Database
985432TCPVCO ServerPostgresSQL ServervCenter Orchestrator Server to PostgresSQL Server for VCO Database
998230TCPVCO ClientVCO ServerLookup port \\u2013 The main port to communicate with Orchestrator Configurator server (JNDI port). All other ports communicate with the Orchestrator Configurator smart client through this one. It is part of the JBoss Application server infrastructure
1008240TCPVCO ClientVCO ServerCommand port \\u2013 The application communication port (RMI container port) it is used for remote invocations. It is part of the JBoss Application server infrastructure.
1018244TCPVCO ClientVCO ServerData port used to access all Orchestrator data models such as workflows and policies. It is part of the JBoss application server infrastructure.
1028250TCPVCO ClientVCO ServerMessaging port \\u2013 The Java messaging port used to dispatch events. It is part of the JBoss Application server infrastructure
1038280TCPVCO ServerVCO ServerPort used by VCO Server to connect to the Web front-end via HTTP
1048281TCPVCO ServerVCO ServerPort used by VCO Server to connect to the Web front-end via HTTPS
1058281TCPvCenter ServerVCO ServerPort used by VCO Server to connect to vCenter Server to communicate with the vCenter API
1068282TCPVCO Client PCVCO ServerHTTP server port \\u2013 Port used by the HTTP connector to connect to the Web frontend.
1078283TCPVCO Client PCVCO ServerHTTPS server port \\u2013 Port used by HTTP connector to connect to the Web frontend. Requires Jetty to be configured for SSL.
10880TCPUpdate Manager Serverwww.vmware.com and xml.shavlik.comTo obtain metadata for the updates Update Manager must be able to connect to http://www.vmware.com and http://xml.shavlik.com
10980TCPESXiUpdate ManagerESXi\/ESX Host to Update Manager Server. The reverse proxy forwards the request to port 9084
11080TCPUpdate ManagervCenter ServerUpdate Manager to vCenter Server communication
111443TCPUpdate Manager Serverwww.vmware.com and xml.shavlik.comTo obtain metadata for the updates Update Manager must be able to connect to http://www.vmware.com and http://xml.shavlik.com
112443TCPESXiUpdate ManagerESXi\/ESX Host to Update Manager Server . The reverse proxy forwards the request to port 9084
113443TCPvCenter ServerUpdate ManagervCenter Server to Update Manager Server. The reverse proxy forwards the request to port 8084
114735TCPUpdate Manager ServerVirtual MachinesUpdate Manager listenerport (rdevServer.exe) part of theRemote Device Server used for virtual machine patching.
115902TCPUpdate ManagerESXiTo push patches and updates from Update Manager to the ESXi\/ESX Hosts to be updated
1161433TCPUpdate Manager ServerMicrosoft SQL ServerUpdate Manager to Microsoft SQL Server connectivity (for UM Database)
1171521TCPUpdate Manager ServerOracle Database ServerUpdate Manager to Oracle connectivity (for UM Database)
1188084TCPUpdate ManagervCenter ServerSOAP between components of Update Manager Server and the vCenter Update Man ager client plug-in. Configurable at install.
1199084TCPESXiUpdate ManagerESXi\/ESX hosts connect to the VUM (VMware Update Manager) webserver listening for updates. Configurable at install.
1209087TCPUpdate ManagervCenter ServerPort used for uploading host update files. Configurable at install.
1219000 to 9100TCPESXiUpdate ManagerThis is the recommend port range from which to choose ports for Update Manager if ports 80 and 443 are already in use. Update Manager automatically opens these ports for ESX Host scanning and remediation.
122111TCP\UDPvCloud Director CellNFS ServerNFS portmapper used by transfer service
123920TCP\UDPvCloud Director CellNFS ServerNFS rpc.statd used by transfer service
12461611TCPvCloud Director Cell (Message Bus)vCloud Director CellActiveMQ
12561616TCPvCloud Director Cell (Message Bus)vCloud Director CellActiveMQ
12625TCP\UDPvCloud Director CellSMTP ServerSMTP
12753TCP\UDPvCloud Director CellDNS ServerDNS
128123TCP\UDPvCloud Director CellNTP Time ServerNTP
129389TCP\UDPvCloud Director CellLDAP ServerLDAP
130443TCPvCloud Director CellESXi \/ vCentervCenter Server and ESXi connections
131514UDPvCloud Director CellSyslog ServerOptional enables syslog use
132902TCPvCloud Director CellESXi \/ vCentervCenter Server and ESXi connections
133903TCPvCloud Director CellESXi \/ vCentervCenter Server and ESXi connections
1341433TCPvCloud Director CellSQL Server DatabaseDefault Microsoft SQL Server database port
1351521TCPvCloud Director CellOracle Database ServerDefault Oracle database port
1365672TCP\UDPvCloud Director CellAMQP RabbitMQOptional AMQP messages for task extensions.
13710109TCPvCenter ServervCenter ServervCenter Inventory Service Management
13810111TCPvCenter ServervCenter ServervCenter Inventory Service Linked Mode Communication
13910111TCPvCenter Inventory ServicevCenter ServervCenter Inventory Service Linked Mode Communication
14010080TCPvSphere ClientvCenter ServervCenter Inventory Service HTTP
14110443TCPvSphere ClientvCenter ServervCenter Inventory Service HTTPS
1429443TCPClient PCWeb Client ServerWeb Client Server HTTPS connection
1439090TCPClient PCWeb Client ServerWeb Client Server HTTP connection
144443TCPWeb Client ServervCenter ServerWeb Client Server to vCenter Server connection
1457444TCPWeb Client ServervCenter Single Sign OnSSO Lookup service connection
1465988.8889TCPCIM ServerESXiCIM transactions over HTTP (only used in case of loopback \\u2013 for the applications running locally)
14712443TCPWeb Client ServerLog Browser ServiceFor accessing the logs
14812221TCPLog Browser ProxyLog Browser ServiceInternal port for Log Browser adminitstration page. It opens a socket (only bound to localhost) to accept admin commands.
1499UDPvCenter ServerVirtual VolumeUsed by the Virtual Volumes feature
150546TCP\UDPDHCP ServerESXiDHCP client for IPv6
151547TCP\/UDPESXiDHCP ServerDHCP client for IPv6
1522233TCPESXiVirtual SAN TransportUsed for RDT traffic (Unicast peer to peer communication) between Virtual SAN nodes.
15312345.23451UDPESXiVirtual SAN Clustering ServiceCluster Monitoring Membership and Directory Service used by Virtual SAN.
1542012TCPvCenter ServerSSOControl interface RPC for vCenter Single Sign-On(SSO).
1552014TCPvCenter ServerSSORPC port for all VMCA (VMware Certificate Authority) APIs.
1562020TCP\UDPvCenter ServervCenter ServerAuthentication framework management
157443TCPvSphere Web ClientESXiClient connections"
1586500TCP\UDPvCenter ServerESXiESXi Dump Collector port

Joining ESXi hosts to AD using Authentication Proxy in vCenter 7 (updated 04-12-2020)

Using ADFS with vCenter 7